The multiple WAN (multi-WAN) capabilities of pfSense allow a firewall to utilize
multiple Internet connections to achieve more reliable connectivity and greater
throughput capacity. Before proceeding with a multi-WAN configuration, the
firewall must have a functional two interface (LAN and WAN) configuration.
pfSense is capable of handling many WAN interfaces, with multiple deployments
using 10-12 WANs in production. It will scale even higher than that, though we
aren’t aware of any installations using more than 12 WANs.

All WAN-type interfaces are treated identically in the GUI. Anything that can be
done with the primary WAN can also be done with an additional OPT WAN interface.
There are no significant differences between the primary WAN and additional
WANs.

This chapter starts by covering items to consider when implementing any
multi-WAN solution, then covers multi-WAN configuration with pfSense.

Speaking from the experience of those who have seen first hand the effects of
multiple cable seeking backhoes, as well as nefarious copper thieves, it is very
important to make sure connectivity choices for a multi-WAN deployment utilize
disparate cabling paths. In many locations, DSL connections as well as any
others utilizing copper pairs are carried on a single cable subject to the same
cable cut, and others from the same telco such as fiber circuits may run along
the same poles or conduits.

If one connection comes in over copper pair (DSL), choose a secondary connection
utilizing a different type and path of cabling. Cable connections are typically
the most widely available option not subject to the same outage as copper
services. Other options include fiber service or fixed wireless coming in on a
different path from copper services.

Two connections of the same type cannot be relied upon to provide redundancy in
most cases. An ISP outage or cable cut will commonly take down all connections
of the same type. Some pfSense users use multiple DSL lines or multiple cable
modems, though the only redundancy that typically offers is isolating a site
from modem or other CPE (Customer Premise Equipment) failure. Consider multiple
connections from the same provider as a solution only for additional bandwidth,
as the redundancy such a deployment offers is minimal.

Another consideration when selecting Internet connectivity for a site is the
path from the connection itself to the Internet. For redundancy purposes,
multiple Internet connections from the same provider, especially of the same
type, should not be relied upon as they could all fail concurrently.

With larger providers, two different types of connections such as a Fiber line
and DSL will usually traverse significantly different networks until reaching
core parts of the network. These core network components are generally designed
with high redundancy and any problems are addressed quickly since they have
widespread effects. Hence such connectivity is isolated from most ISP issues,
but since they commonly utilize the same cable path, it still leaves a site
vulnerable to extended outages from cable cuts.

In the past, high-grade telco services such as DS1 or DS3 circuits were the
choice for environments with high availability requirements. Generally the
Service Level Agreements (SLA) offered on DS1 and DS3 connections were better
than other types of connectivity, and those circuits were generally seen as more
reliable. End-users have largely left such circuits behind, however, because
they are too slow or too costly by today’s standards. With the multi-WAN
capabilities on pfSense, a site can have more bandwidth and better redundancy
for less money in many cases. Fiber services are rapidly becoming more
widespread, shaking up this concept by providing extremely large amounts of
bandwidth for relatively low cost, though such services may still have a
less-than-desirable SLA for outage response.

Most organizations requiring high availability Internet connections do not want
to rely upon DSL, cable or other “lesser class” broadband Internet connections.
While they’re usually significantly faster and cheaper, the lesser SLA is enough
to make many companies stick with DS1 or DS3 connectivity. In areas where
multiple lower cost broadband options are available, such as DSL and cable, the
combination of pfSense and two low cost Internet connections provides more
bandwidth and better redundancy at a lower cost. The chance of two different
broadband connections going down simultaneously is significantly less than the
chance of any single service outage. Adding a backup Cable or DSL line to
supplement a much faster fiber line ensures connectivity will continue when an
outage occurs on the fiber line, even if it is a rare occurrence.